Recently, several organizations have released data on security breaches for 2008. As you would expect, there were more reported breaches in 2008 than in 2007. Based on information from the Identity Theft Resource Center, the trend is summarized below:

2008 – 656 breaches with 35.6 million records exposed

2007 – 446 breaches with 127 million records exposed

2006 – 315 breaches with 20 million records exposed

2005 – 158 breaches with 64.8 million records exposed

Clearly the trend indicates that more breaches are being reported with a more than 4X increase in the last four years. The question is whether this indicates an actual increase in compromised systems or an increase in the number of organizations reporting breaches.

In 2003, California became the first state to pass a data breach disclosure law. Since then, at least 43 other states have passed similar legislation requiring organizations to notify their customers in the event that their personal information is disclosed. And the federal government is considering passing similar legislation. Thus, enterprises are now required to report data breach incidents, whereas in the past this was not the case. Therefore, it would be a mistake to assume that the rise in the incident of reported data disclosure incidents is strictly due to a greater number of such incidents. It is difficult to know whether the rise is due to greater reporting requirements or an actual increase in the number of incidents.

One thing is certain; state laws requiring notification of data disclosures have lead to a wealth of information on such incidents. And organizations such as the Open Security Foundation have built web sites that track and publish information on data loss incidents. This is a positive outcome of state breach notification laws, as it will force companies to take proactive measures to secure their customers’ personal information which will help make us all more secure.